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Abstract 

Much of the literature on rational cryptography focuses on analyzing the strategic 
properties of cryptographic protocols. However, due to the presence of computationally- 
bounded players and the asymptotic nature of cryptographic security, a definition of 
sequential rationality for this setting has thus far eluded researchers. 

We propose a new framework for overcoming these obstacles, and provide the first 
definitions of computational solution concepts that guarantee sequential rationality. 
We argue that natural computational variants of subgame perfection are too strong for 
cryptographic protocols. As an alternative, we introduce a weakening called threat-free 
Nash equilibrium that is more permissive but still eliminates the undesirable "empty 
threats" of non-sequential solution concepts. 

To demonstrate the applicability of our framework, we revisit the problem of im- 
plementing a mediator for correlated equilibria (Dodis-Halevi- Rabin, Crypto'OO), and 
propose a variant of their protocol that is sequentially rational for a non-trivial class of 
correlated equilibria. Our treatment provides a better understanding of the conditions 
under which mediators in a correlated equilibrium can be replaced by a stable protocol. 

Keywords: rational cryptography, Nash equilibrium, subgame perfect equilibrium, 
sequential rationality, cryptographic protocols, correlated equilibrium 
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1 Introduction 



A recent line of research has considered replacing the traditional cryptographic modeling of 
adversaries with a game-theoretic one. Rather than assuming arbitrary malicious behavior, 
participants are viewed as being self-interested, rational entities that wish to maximize their 
own profit, and that would deviate from a protocol's prescribed instructions if and only if 
it is in their best interest to do so. 

Such game theoretic modeling is expected to facilitate the task of protocol design, since 
rational behavior may be easier to handle than malicious behavior. It also has the advantage 
of being more realistic in that it does not assume that some of the parties honestly follow 
the protocol's instructions, as is frequently done in cryptography. 

The interplay between cryptography and game theory can also be beneficial to the latter. 
For instance, using tools from secure computation, it has been shown how to transform 
games in the mediated model into games in the unmediated model. 

But regardless of whether one analyzes cryptographic protocols from a game theoretic 
perspective or whether one uses protocols to enhance game theory, it is clear that the results 
are meaningful only if one provides an adequate framework for such analyses. 

1.1 Computational Nash Equilibrium 

Applying game-theoretic reasoning in a cryptographic context consists of modeling inter- 
action as a game, and designing a protocol that is in equilibrium. The game specifies the 
model of interaction, as well as the utilities of the various players as a function of the game's 
outcome. The protocol lays out a specific plan of action for each player, with the goal of 
realizing some pre-specified task. Once a protocol has been shown to be in equilibrium, 
rational players are expected to follow it, thus reaching the desired outcome. 

A key difficulty in applying game-theoretic reasoning to the analysis of cryptographic 
protocols stems from the latter's use of computational infeasibility. Whereas game theory 
places no bounds on the computational ability of players, in cryptography it is typically 
assumed that players are computationally bounded. Thus, in order to retain the mean- 
ingfulness of cryptographic protocols, it is imperative to restrict the set of strategies that 
are available to protocol participants. This gives rise to a natural analog of Nash equi- 
librium (NE), referred to as computational Nash equilibrium (CNE): any polynomial-time 
computable deviation of a player from the specified protocol can improve her utility by only 
a negligible amount (assuming other players stick to the prescribed strategy). 

Consider, for example, the following (two-stage, zero-sum) game (related to a game 
studied by Ben-Sasson et al. [3j and Fortnow and Santhanam [7]), which postulates the 
existence of a one-way permutation / : {0, l} n h-» {0, l} n . 

Example 1.1 (One-way permutation game): 

1. Pi chooses some x £ {0, l} n , and sends f(x). 

2. Pi sends a message z E {0, l} n . 

3. P2 wins (gets payoff 1) if z = x (and gets -1 otherwise). 
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In classical game theory, in all NE of this game P2 wins, since there always exists some 
z such that z = x. However, in the computational setting, the following is a CNE: both 
players choose their messages uniformly at random (resulting in an expected loss for P2). 
This is true because if P2 chooses z at random, then Pi can never improve his payoff by 
not choosing at random. If Pi chooses x at random, then by the definition of a one-way 
permutation, any computationally-bounded strategy 02 of P2 will be able to guess the value 
of x with at most negligible (in n) probability. Thus, the expected utility of P2 using 02 is 
negligible, and so he loses at most that much by sticking to his CNE strategy (i.e. picking 
some z at random). 

1.2 Computational Subgame Perfection 

The notion of CNE serves as a first stepping stone towards a game-theoretic treatment of 
cryptographic protocols. However, protocols are typically interactive, and CNE does not 
take their sequential nature into consideration. 

In traditional game theory interaction is modeled via extensive games. The most ba- 
sic equilibrium notion in this setting is subgame perfect equilibrium (SPE), which requires 
players' strategies to be in NE at any point of the interaction, regardless of the history of 
prior actions taken by other players. Basically, this ensures that players will not reconsider 
their actions as a result of reaching certain histories (a.k.a. "empty threats"). 

As already noted in previous works (cf. [161 OS ES] ) , it is not at all clear how to adapt 
SPE to the computational setting. A natural approach would be to require the strategies 
to be CNE at every possible history. However, if we condition on the history, then this 
means that different machines can and will do much better than the prescribed equilibrium 
strategy. For example, in the one-way permutation game of Example ll.il given any message 
history, a machine M can simply have the correct inverse hardwired. 

Although this requirement can be relaxed to ask that the prescribed strategy should be 
better than any other fixed machine on all inputs, this again may be too strong, since a fixed 
machine can always do better on some histories. Therefore, it seems that we must accept 
the following: for any machine M, with high probability over possible message histories, the 
prescribed strategy does at least as well as M. However, it turns out that this approach 
also fails to capture our intuitive understanding of a computational SPE (CSPE). Consider 
the following (two-stage) variant of the one-way permutation game from Example ll.lt 

Example 1.2 (Modified one-way permutation game): 

1. Pi chooses some x € {0, l} n , and sends f{x). 

2. P2 sends a message z £ {0, l} n . 

3. If exactly one of Pi and P2 send message 0, both players get payoff —2. If both players 
send message 0, both players get payoff +2. Otherwise, P2 wins (with payoff +1) if 
and only if z = x, and the non- winning player loses (with payoff —1). 

Using a similar argument to the one applied in Section 11.11 it can be shown that the 
strategies in which both players choose a message uniformly at random from {0, l} n \ {0} 
satisfy the above "probabilistic" variant of CSPE. However, this equilibrium does not match 
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our intuitive understanding of SPE: Pi will prefer to send message regardless of iVs 
strategy, knowing that P2 will then respond with as well. The threat of playing uniformly 
from all other messages is empty, and hence should not be admitted by the definition^] 

The examples above are rather simple, so it is reasonable to expect that issues arising in 
their analyses are inherent in many other cryptographic protocols. This raises the question 
of whether a computational variant of SPE is at all attainable in a cryptographic setting. 

At the heart of this question is the fact that essentially any cryptographic protocol 
carries some small (but positive) probability of being broken. This means that, while there 
may be a polynomial-time TM that can "perform well" on the average message history, 
there is no single TM that will do better than all other TMs on every history (as for any 
history there exists some TM that has the corresponding "secret information" hardwired). 

This state of affairs calls for an alternative approach. While such an approach should 
be meaningful enough to express strategic considerations in an interactive setting, it should 
also be sufficiently weak to be realizable. As demonstrated above, any approach for tackling 
this challenge should explicitly address the associated probability of error. It should also 
take asymptotics into consideration. 

2 Our Results 

We propose a new framework for guaranteeing sequential rationality in a computational 
setting. Our starting point is a weakening of subgame perfection, called threat-free Nash 
equilibrium, that is more permissive, but still eliminates the undesirable empty threats of 
non-sequential solution concepts. 

To cast our new solution concept into the computational setting, we develop a methodol- 
ogy that enables us to "translate" arguments that involve computational infeasibility into a 
purely game theoretic language. This translation enables us to argue about game theoretic 
concepts directly, abstracting away complications that are related to computation. 

In order to demonstrate the applicability of our framework, we revisit the problem 
of implementing a mediator for correlated equilibria [6] , and propose a protocol that is se- 
quentially rational for a non-trivial class of correlated equilibria (see Section [2]3] for details). 
Our treatment provides a better understanding of the conditions under which mediators in 
a correlated equilibrium can be replaced by a stable protocol. 

2.1 Threat-Free Nash Equilibria 

We introduce threat-free Nash equilibria (TFNE), a weakening of subgame perfection whose 
objective is to capture strategic considerations in an interactive setting. Loosely speaking, 
a pair of strategies in an extensive game is a TFNE if it is a NE, and if in addition no player 
is facing an empty threat at any history. 

The problem of empty threats is the following: in a NE of an extensive game, it is 
possible that a player plays sub-optimally at a history that is reached with probability 0. 
The other player may strategically choose to deviate from his prescribed strategy and arrive 
at that history, knowing that this will cause the first player to play an optimal response 

1 We note that a simple change to the payoffs yields a game whose empty threat is more "typical": For 
the case in which both players send message 0, let P2's payoff be —3/2. 
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rather than the prescribed one. In an SPE this problem is eliminated by requiring that 
no player can play sub-optimally at any history, and so no other player will strategically 
deviate and take advantage of this. 

The main observation leading to the definition of TFNE is that the above requirement 
may be too strong a condition to eliminate such instability: if an optimal response of a player 
decreases the utility of the other, then this other player would not want to strategically 
deviate. By explicitly ruling out this possibility, the instability caused by empty threats is 
eliminated, despite the equilibrium notion being more permissive than subgame perfection. 

To make this precise, we give the first formal definition of an empty threat in extensive 
games. The definition is regressive: Roughly speaking, a player i is facing a threat at a 
history if there is some deviation at that history, along with a threat-free continuation from 
that history onwards, so that i increases his overall expected payoff when the players play 
this new deviation and continuation. 

We note that the notion of TFNE is strong enough to eliminate the undesirable strategy 
of playing randomly in the modified OWP game from Example II .21 - Claim [57131 shows that 
in any computational TFNE of this game the second player outputs after history 0. 

2.2 Strategy-Filters and Tractable Strategies 

To cast the definition of TFNE into a computational setting, we map the given protocol 
into a sequence of extensive games using strategy-filters that map computable strategies into 
their "strategic representation" (the strategic representation corresponds to the strategy 
effectively played by a given interactive Turing machine). We can then apply pure game 
theoretic solution concepts, and in particular our newly introduced concept of TFNE, to 
understand the strategic behavior of players. 

Similarly to the definition of CNE, the computational treatment departs from the tra- 
ditional game theoretic treatment in two crucial ways. First of all, our definition is framed 
asymptotically (in order to capture computational infeasibility) , whereas traditional game- 
theory is framed for finitely sized games. Second, it allows for a certain error probability. 
This is an artifact of the (typically negligible) probability with which the security of essen- 
tially any cryptographic scheme can be broken. 

Given a cryptographic protocol, we consider a corresponding sequence of extensive 
games. The sequence is indexed by a security parameter k and an error parameter e. 
For each game, we "constrain" the strategies available to players to be a subset of those 
that can be generated by PPT players in the protocol. Intuitively, the game indexed by 
(k, e) contains those strategies that run in time polynomial in k and "break crypto" with 
probability at most e. We also require that strategy-filters be PPT- covering: that for any 
polynomially-small e, every PPT is eventually a legal strategy, far enough into the sequence 
of extensive games. 

Using this framework we formalize the notion of a computational threat-free Nash equi- 
librium (CTFNE). To the best of our knowledge this is the first attempt at analyzing 
sequential strategic reasoning in the presence of computational infeasibility. 
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2.3 Applications 

Our treatment provides a powerful tool for arguing about the strategic behavior of players 
in a cryptographic protocol. It also enables us to isolate sequential strategic considerations 
that are suitable for use in cryptographic protocols (so that the solution concept is not too 
weak and not too strong). 

As a warm up, we demonstrate the applicability of our framework and solution concept 
to the "coin-flipping game" that corresponds to Blum's coin-flipping protocol [5]. One 
may view this as playing the classic game of match pennies without simultaneity (but with 
cryptography). We show that it is possible to exploit the specific structure of the game to 
implement a correlating device resulting in a CTFNE. This is in contrast to the general 
approach of [6] that only enables one to argue CNE. This result already demonstrates the 
added strength of our framework and definition. 

We then revisit the general problem of implementing a mediator for correlated equi- 
libria |6j, and propose a protocol that is sequentially rational for a non-trivial class of 
correlated equilibria. In particular, our protocol is in a CTFNE for correlated equilibria 
that are convex combinations of Nash equilibria and that are "undominated" : There does 
not exist any convex combination of Nash equilibria for which both players get a strictly 
higher expected payoff. 

Our treatment explores the conditions under which mediators in a correlated equilibrium 
can be replaced by a stable protocol, and sheds light on some structural properties of such 
equilibria. 

Finally, we prove a general theorem that identifies sufficient conditions for a TFNE in 
extensive games. Namely, we show that if an undominated NE has the additional property 
that no player can harm the other by a unilateral deviation, then that NE must also be 
threat-free. 

2.4 Related Work 

This paper contributes to the growing literature on rational cryptography. Many of the 
papers in this line of research, such as |^ [JBl 111 ISl I2D1 1221 IISl IIH1 1231 121 DI3 > 
explore various solution concepts for cryptographic protocols viewed as games (often in 
the context of rational secret-sharing). Aside from the works of Lepinski et al. [151 I20j . 
Ong et al. [26], and Gradwohl |10| . who work in a different modeH, all prior literature has 
considered solution concepts that are non-sequential. More specifically, they all use variants 
of NE such as strict NE, NE with stability to trembles, and everlasting equilibrium. 

An additional related work is that of Halpern and Pass [TJj, in which the authors 
present a general framework for game theory in a setting with computational cost. While 
their approach to computational limitations is more general than ours, they only address 
NE. Finally, Fortnow and Santhanam [7] study a different framework for games with com- 
putational limits, but also only in the context of NE. 

2 More specifically, 15, 20 make strong physical assumptions, [26] assume the existence of a fraction of 
honest (non-rational) players, and [261 jlO| work in an information-theoretic setting. 



6 



2.5 Future Work 



One potential application of our new definition is an analysis of rational secret-sharing 
protocols. While the design of such a protocol that is in a CTFNE is not within the 
scope of the current paper, we do provide some intuition about why known gradual release 
protocols satisfy a slightly weaker solution concept. Consider the following simple setting: 
each of two players knows a bit, and the XOR of the two bits is the secret. Secret exchange 
protocols, for example [21], allow the players to exchange their respective bits and thus 
learn the secret in such a way that even if one of the players cheats, he can reconstruct the 
secret with probability at most e more than the other player. Then under the assumptions 
on players' utilities used by [17], any unilateral deviation from this protocol can get the 
deviating player an increase of only 0(e) in utility. However, since the other player can 
always correctly guess the secret with almost the same probability (up to the additive e), 
the potential benefit to a player of deviating, causing the other to deviate, and so on, 
is also at most 0(e). Thus, this protocol is in a computational variant of e-NE and is 
also e-threat-free. The reason this is weaker than our current solution concept is that we 
require the benefit from a threat or a deviation to be negligible, whereas in [21] the e is 
polynomially-small (in the number of rounds of the protocol). 

There are numerous other compelling problems left for future work. The first problem is 
to extend our definition to games with simultaneous moves. While we do offer a partial ex- 
tension tailored to the problem of implementing a mediator, the problem of defining CTFNE 
for general games with simultaneous moves is open. Such a definition would be particularly 
useful for a sequential analysis of protocols with a simultaneous channel. Another natural 
extension of the definition is to multiple players, as opposed to 2. Such an extension comes 
with its own challenges, particularly with regard to the possibility of collusion. A third 
extension is to incorporate the threat-freeness property with stronger variants of NE, such 
as stability with respect to trembles, strict NE, or survival of iterated elimination of dom- 
inated strategies. Finally, we would like to find more applications for our definition. One 
particularly interesting problem is to extend our results on the implementation of mediators 
to a larger class of correlated equilibria. 

3 Game Theory Definitions 

3.1 Extensive Games 

Informally, a game in extensive form can be described as a game tree in which each node is 
owned by some player and edges are labeled by legal actions. The game begins at the root, 
and at each step follows the edge labeled by the action chosen by the current node's owner. 
Utilities of players are given at the leaves of the tree. More formally, we have the following 
standard definition of extensive games (see, for example, Osborne and Rubinstein [27]): 

Definition 3.1 (Extensive game) A 2-person extensive game is a tuple T = (H, P, A,u) 
where 

• H is a set of (finite) history sequences such that the empty word e € H. A history 
h € H is terminal if {a : (h,a) £ H} = 0. The set of terminal histories is denoted 
Z. 
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• P : (H \ Z) — > {1, 2} is a function that assigns a "next" player to every non-terminal 
history. 

• A is a function that, for every non-terminal history h € H \ Z , assigns a finite set 
A(h) = {a : (h,a) £ H} of available actions to player P(h). 

• u = (u\,U2) is a pair of payoff functions Ui : Z i-> ML 

We will denote the two players by P\ and P2 and by Pi and P-i, where i € {1,2} and 
— i is shorthand for 2 — i. 

Definition 3.2 (Behavioral strategy) Behavioral strategies of players in an extensive 
game are collections Oi = (o~i(h)) h . p ^ =i of independent probability measures, where ai(h) 
is a probability measure over A(h). 

For any extensive game V = (H, P, A,u), any player i, and any history h satisfying 
P{h) = i, we denote by the set of all probability measures over A(h). We denote by 

Ej the set of all strategies Oi of player i in T. For each profile a = (01, 02) of strategies, 
define the outcome 0(a) to be the probability distribution over terminal histories that 
results when each player i follows strategy cij. Note that if both o\ and a 2 are deterministic 
(i.e. deterministic on every history), then so is the outcome 0(a). 

3.2 Nash Equilibrium 

Each profile of strategies yields a distribution over outcomes, and we are interested in 
profiles that guarantee the players some sort of optimal outcomes. There are many solution 
concepts that capture various meanings of "optimal," and one of the most basic is the Nash 
equilibrium (NE). 

Definition 3.3 (Nash equilibrium (NE)) An e-Nash equilibrium of an extensive game 
r = (H, P, A, u) is a profile a* of strategies such that for each player i, 

E[ Ui (0(a*))]>E[ Ui (O(aU^i))] -e 

for every strategy ai of player i. It is a NE if the above holds for e < and a strict NE if 
it holds for some e < 0. 

One of the premises behind the stability of profiles that are in an e-NE is that players 
will not bother to deviate for a mere gain of e. For applications in cryptography we will 
generally have e be some negligible function, and this corresponds to our understanding 
that we do not care about negligible gains. 

3.3 Subgame Perfect Equilibrium 

One of the problems with NE in extensive games is the presence of empty threats: a player's 
equilibrium strategy may specify a sub-optimal strategy at a history that is reached with 
probability 0. The other player, knowing this, may strategically deviate to reach that 
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history, predicting that the first player will also deviate. For more details and explicit 
examples see any textbook on game theory, such as [27]. 

The most basic solution to the problem of empty threats is to refine the NE solution, 
and require a strategy profile to be in a NE at every history in the game. This results in a 
profile that is in subgame perfect equilibrium (SPE). 

Definition 3.4 (Subgames of extensive game) For any 2-person extensive game T = 
(H, P, A,u) and any non-terminal history h £ H, the subgame T\h is the 2-person extensive 
game T\ h = (H\ h , P\ h , A\ h , u\ h ), where 

• h! £ H\h if and only if h a h! £ H , 
. P\ h (h')=P(hoh'), 

• A\ h (h') = A(h o h'), and 

• Ui\ h (h') = U{(h o h'). 

For each profile a = (o"i,o"2) of strategies and history h £ H, define the conditional 
outcome 0(a)\h to be the probability distribution over terminal histories that results when 
the game starts at a history h, and from that point onwards each player i follows strategy 

0~i ■ 

Definition 3.5 (Subgame perfect equilibrium (SPE)) A n e-subgame perfect equilib- 
rium of an extensive game T = (H, P, A, u) is a profile a* of strategies such that for each 
player i and each non-terminal history h £ H, 

E[ui (0(a*)\ h )]>E[ui {0(*U,*i)\h)] -e 

for every strategy U{ of player i. It is an SPE if the above holds for e = and a strict SPE 
if it holds for some e < 0. 

3.4 Constrained Games 

In the standard game theory literature, where there are no computational constraints on 
the players, the available strategies of player i are all possible collections (o~i(,h)) h . p , h \ =i , 
where o~i(h) is an arbitrary distribution over A(h). In our setting, however, we will only 
consider strategies that can be implemented by computationally bounded ITMs. This re- 
quires being able to constrain players' strategies to a strict subset of the possible strategies. 
One natural way to restrict the strategies is to allow only a subset of all distributions over 
A(h) at each history h. However, this does not enable us to capture more elaborate restric- 
tions, and specifically ones that might result from requiring strategies to be implementable 
by polynomial time ITMs. (For example, a player might have for every possible history a 
strategy that plays best response on that history, but no strategy that plays best response 
on all histories.) To capture these more elaborate restrictions, we consider player i strategies 
that are restricted to an arbitrary subset Tj of all possible (mixed) strategies. 

Given a pair T = (T\,T2) of such sets we can then define a constrained version of a 
game, in which only strategies that belong to these sets are considered. 
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Definition 3.6 (Constrained game) Let T = (H, P, A, u) be an extensive game and let 
T = (T\,T2), where Ti C (g) h . p ^ =i 'Ei(h) for each i £ {1,2}. The T-constrained version of 
r is the game in which the only allowed strategies for player i belong to Ti. 

NE of constrained games are defined similarly to regular NE, except that players' strate- 
gies and deviations must be from the constraint sets. 

Definition 3.7 (NE in constrained games) A n e-Nash equilibrium of a i^Tx^T^)- constrained 
version of an extensive game T = (H, P, A,u) is a profile a* £ (T\,T2) of strategies such 
that for each player i, 

E [Ui (0(a*))} > E [ui {0(a*_ i} ai))] - e 

for every strategy Ui £ Ti of player i. It is a NE if the above holds for e < and a strict 
NE if it holds for some e < 0. 

4 Threat-Free Nash Equilibrium 

Our starting point is the inadequacy of subgame perfection in capturing sequential ratio- 
nality in a computational context. As argued in Section 11.21 it is unreasonable to require 
computationally-bounded players to play optimally at every node of a game. In particu- 
lar, in cryptographic settings this requires breaking the security of the protocol, which is 
assumed impossible under the computational constraints. 

A possible idea might be to require that players "play optimally at every node of the 
game, under their computational constraints." However, this idea cannot be interpreted in 
a sensible way. Computational constraints must be defined "globally," and thus the notion 
of playing optimally under some computational constraint on a particular history is sense- 
less. In particular, for any history of some cryptographic protocol, there is a small machine 
that plays optimally on this specific history unconditionally (and breaks "cryptographic 
challenges" appearing in this history, by having the solutions hardwired). This machine is 
efficient, and so meets essentially any computational constraint. So, while under compu- 
tational constraints every machine fails on cryptographic challenges in most histories, for 
every history there is a machine that succeeds. We thus assume that a player chooses his 
machine before the game starts, and cannot change his machine later. 

4.1 A New Solution Concept 

In light of the above discussion, it seems like the solution concept we are looking for has to 
reconcile the following seemingly conflicting properties: 

1. It implies an optimal strategy for the players under their computational constraints, 
which implies non- optimal play on certain histories. 

2. It does not allow empty threats, thus implying "sequential rationality." 

The crucial observation behind our definition is that in order to rule out empty threats, 
one does not necessarily need to require that players play optimally at every node, be- 
cause not every non-optimal play carries a threat to other players. In fact, in a typical 
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cryptographic protocol, the security of each player is building on other players not playing 
optimally (because playing optimally would mean breaking the security of the protocol). 
Thus, a player's "declaration" to play non-optimally does not necessarily carry a threat: the 
other players may even gain from it. More generally, even in non-cryptographic protocols, 
at least in 2-player perfect information games, we can use the following observation: in any 
computational challenge, either a player gains from the other not playing optimally, or, if he 
does not gain, he can avoid introducing that computational challenge to the other playerU 

Following the above observation, we introduce a new solution concept for extensive 
games. The new solution concept requires that players be in NE, and moreover, that no 
player impose an empty threat on the other. At the same time, it does not require players to 
play optimally at every node. In other words, players may (declare to) play non-optimally 
on non-equilibrium support, yet this declaration of non-optimal play does not carry an 
empty threat. We call our new solution concept TFNE, for threat-free Nash equilibrium. 

To make the above precise, we introduce a formal definition of an empty threat. An 
empty threat occurs when a player threatens to play "non-rationally" on some history in 
order to coerce the other player to avoid this history. Crucially, empty threats are such 
that, had the threatened not believed the threat, had he deviated accordingly, and had the 
threatening player played "rationally," the threatened player would have benefitted. To 
rephrase our intuition: a player faces an empty threat with respect to some strategy profile 
if by deviating from his prescribed strategy, and having the other player react "rationally," 
he improves his payoff (in comparison with sticking to the prescribed strategy and having 
the other player react "rationally" from then on). 

But what does it mean for the other player to react "rationally" ? The other player may 
assume, recursively, that the first player will play a best response, and will not carry out 
empty threats against him, and so on, leading to a regressive definition. 

4.2 Vanilla Version 

Before giving the general definition of TFNE that we will use, we present a simpler version 
that has no slackness parameter and that works for games without constrained strategies. 

For a player i and a history h, two strategies tTj and 7Tj are equivalent for player i on 
h if P(h) = i and crj(/i) = vrj(/i), or P(h) ^ i. Two strategies differ only on the subgame 
h if they are equivalent on every non-terminal history that does not have h as a prefix. 
Formally, they are equivalent on every history in H \ \h! € H : h' = h o h" for some h"}. 
For a history h € H, a strategy a, and a distribution r = r(/i) on A(h), let 

Cont(/i, cr, r) = f |vr : (tt differs from a only on the subgame h) & (vr(/i) = r(/i))|. 

We now proceed to define a threat. For simplicity, we will do so for generic games, in which 
each player's possible payoffs are distinct. For such games, the set Cont(/i, a, r) always 
contains exactly one "threat-free" element (defined below). 



3 This is indeed an informal statement. In fact, we should add the disclaimer that computational hardness 
for one player does not necessarily have to stem from the strategy of the other. For example, the utility 
function may be computationally hard. 
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Definition 4.1 (Threat) Let T = (H, P, A,u) be an extensive game with distinct payoffs. 
Let a be a strategy profile, and let h G H . Player i = P(h) is facing a threat at history 
h with respect to a if there exists a distribution r = t(K) over A{h) such that the unique 
7T G Cont(7i, cr, r) and it' G Cont (h, a, a) that are threat-free on h satisfy 



where strategy ir is threat-free on h if for all h! 7^ e satisfying h o h! G H player P{h a h') is 
not facing a threat at ho h' with respect to ir. 

Note that if h is such that for all a G A(h) it holds that h o a G Z , then any profile it is 
threat free on h. 

Definition 4.2 (Threat-free Nash equilibrium) Let T = (H, P, A, u) be an extensive 
game. A strategy profile a* is a threat-free Nash equilibrium (TFNE) if: 

1. a* is a NE ofT, and 

2. for any h G H , player P(h) is not facing a threat at history h with respect to a* . 

Note that in every profile that is in a TFNE, the effective play matches some SPE 
profile (more precisely, there is an SPE profile that yields exactly the same distribution on 
outcomes). This and other properties of threats and TFNE are formalized in the companion 
paper to this work 

In the definition of a threat we used the fact that Cont(fo, a, r) and Cont(/i, <r, <r) each 
contain exactly one profile that is threat-free on h. To show that this must be the case, we 
have the following proposition, which is not unlike the fact that generic games have unique 
subgame perfect equilibria. 

Proposition 4.3 For any extensive game T = (H,P,A,u), strategy profile a, player i, 
history h G H \ Z with P(h) = i, and distribution r over A(h), the set Cont(h,a,r) 
contains exactly one profile that is threat- free on h. 

Proof: For any history h G H \ Z, let height (h) be the maximal distance between h and 
a descendant of h (i.e. the leaf that is furthest away from h but lies on the subtree rooted 
by h). The proof of the proposition is by induction on height (h). 

For the base case height (/i) = 1, note that there is exactly one element in Cont(/i, a, r) 
and that this profile is threat-free on h (since h is a last move of the game). 

Next, suppose the claim of the proposition holds for all histories h with height (/i) < k. 
We will prove that it holds for histories h with height (h) = k. To this end, fix such a 
history h , and suppose the children of h° in the game tree are h , . . . , h l . Suppose also 
that P(h°) = i and P{h l ) = . . . = P(h t ) = —i, and note that this is without loss of 
generality. 

Consider the profile 7r° that is identical to a except at history h, and fix vr°(/i) = r{h). 
We now repeat the following process in succession for each j G {1, . . . ,t}: For any such j, 



E[«i (0(tt))] > E [m (O(tt'))] 



let 




7T is threat-free on h J 
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We then choose a profile tt 3 G TF(h 3 ) that satisfies 

(tp*) > (tt") 

for all tt" G TF(ft, J ). Because payoffs for player —i are distinct, it must be the case that 
there exists a unique maximal tt 3 . That is, there can be no tt" that is different from tt 3 and 
has the same payoff for player —i. 

After doing this for all h? G {h 1 , . . . , h*} we have a profile tt 1 that we claim is threat-free 
on h. To see this, observe that for all j G {1, . . . ,t}, tt 3 is threat-free on h? because we 
chose it to be a threat-free profile from Cont(/i J ',7r 3 ' -1 ,r"). However, since for each j we 
chose a maximal t 3 , there are no threats at the histories h? either. Finally, uniqueness of 
tt 3 is guaranteed by the fact that for each j, our choice of a maximal t 3 was unique. I 

4.3 Round-Parameterized Version 

For games induced by cryptographic protocols we will need a more general definition of 
TFNE. We assume that in these games players alternate moves, and thus there is a natural 
notion of the "rounds" in the game: Player i makes a move in round 1, then player — i 
makes a move in round 2, and so on until the end of the game. 

For the general definition, we introduce a few modifications to the vanilla version: 

• We add a slackness parameter e. This is necessary for our applications in order to 
handle the probability of error inherent in almost all cryptographic protocols. 

• We allow players to be threatened at rounds, rather than just specific histories. This 
is needed because when we add the slackness parameter, a player might be threatened 
at a set of histories, where the weight of each individual threat does not exceed the 
slackness parameter, but the overall weight does. 

• Finally, for a player to be threatened, we require that he improve on all threat-free 
continuations tt. The reason we need this is that in the general case, there may be 
more than one tt that is threat-free. If a player deviates from his prescribed behavior, 
he cannot choose which (threat-free) continuation will be played. 

The definitions below make use of the notion of a round R strategy of player i: This 
is simply a function mapping every history h that reaches round R to a distribution over 
A{h). For a round R G N we let (Ji(R) represent player i's round R strategy implied by a. 
Let a(R) = (ai(R), a 2 (R)), and let 

Cont{a{l), ... ,a(R)) d = {tt e T : tt{S) = a(S) VS < r}, 

where T = (Ti,T2) consists of constraints for players' strategies. 

Definition 4.4 (e-threat) Let V = (H, P, A, u) be an extensive game with constraints 
T = (T\,T2). Let e > 0, let a G T be a strategy profile, and let R G N be a round ofT. 
Player i = P(R) is facing an e-threat at round R with respect to a if there exists a round 
R strategy r = t(R) for player i such that 
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(i) the set Cont(cr(l), . . . , o~(R — 1), t(R)) is nonempty, and 

(ii) for all it € Cont((j(l), . . . , a(R — 1), r(R)) and -k' G Cont(<r(l), . . . , cr(R)) that are 
e-threat-free on R 

EMO(tt))] >e[«< (O(vr'))] +e, 

where strategy tt is e-threat-free on R if for all rounds S > R it holds that player P(S) is 
not facing an e -threat at round S with respect to tt. 

Note that if R is the last round of the game, then any profile tt £ T is e-threat-free on R. 
Using Definition 14.41 we can now define an e-TFNE. 

Definition 4.5 (e-threat-free Nash equilibrium) Let T = (H, P, A, u) be an extensive 
game with constraints T = (T\,T2). A strategy profile a* € T is an e-threat-free Nash 
equilibrium (e-TFNE) if: 

1. a* is an e-NE ofT, and 

2. for any round R of V , player P(R) is not facing an e-threat at round R with respect 
to a*. 

As is the case for Definition 14.11 Definition 14.41 (and hence Definition I4.5P would not 
be (semantically) well-defined if either one of the sets Cont(cr(l), . . . , a(R— 1),t(R)) or 
Cont(<j(l), . . . ,a(R)) would not contain at least one profile tt that is e-threat-free on R. 
The following proposition shows that this can never be the case. 

Proposition 4.6 Let T = (H,P,A,u) be an extensive game with constraints T = (Ti,T2). 
Let e > 0, let a € T be a strategy profile, and let R be a round of T. For any round R 
strategy r = r(R) for player i = P(R), if the set Cont(er(l), . . . , a(R—l),r(R)) is nonempty 
then it contains at least one profile tt that is e-threat-free on R. 

Proof: For any round R of T, let height (i?) be the distance between h and the last round 
of r. The proof of the proposition is by induction on height(ii). 

For the base case height(i?) = 0, note that, by the hypothesis of the proposition, the 
set Cont(er(l), . . . ,a(R— l),r(R)) is nonempty. Since R is the last round of the game, 
the set contains exactly one profile, (cr(l), . . . , a(R— l),r(i?)), and this profile is vacuously 
e-threat-free on R. 

Next, suppose the claim of the proposition holds for all rounds R with height(i?) < k. 
We will prove that it holds for round R satisfying height (i?) = k. Let i = P(R), and 
assume that there exists some tt' € Cont(c(l), . . . , a(R— 1),t(R)). We would like to show 
that Cont(er(l), . . . , ct(R—1),t(R)) contains at least one profile tt that is e-threat-free on R. 

By the inductive hypothesis we have that, for any round R + 1 strategy r' of player — i, 
if the set Cont(er(l), . . . , a(R — 1),t(R),t'(R + 1)) is nonempty then it contains at least 
one profile that is e-threat-free on R + 1 (since height (R + 1) < k). We will choose a profile 
that has a maximal t' as follows. Let 

TF(R + l) d = jvr € [j Cont(cr(l), ...,a{R- 1), t{R),t'(R + 1)) : vr is e-threat-free on R + 1 
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and note that TF(i? + 1) must be nonempty. This is because there always exists at least 
one t' for which Cont(<r(l), . . . , a(R — T),r(R), t'(R + 1)) is nonempty: namely, we could 
have t'(R + 1) = n'(R + 1). Since Cont(cr(l), . . . ,a(R - 1), t(R), tt'(R + 1)) is nonempty 
by assumption, it must contain a profile that is e-threat-free on R + 1 (by the inductive 
hypothesis). 

We now choose a profile tt £ TF (R + 1) that satisfies 

U-i (n) > U-i (ir") - £ 

for all tt" £ TF(i2 + 1). So now we have a profile tt £ Cont(cr(l), . . . , a(R— 1), t(R)), which 
we claim is e-threat-free on round R. To see this, note that tt is e-threat-free on R + 1 
by the way we chose it (i.e. a profile from Cont(cr(l), . . . , a(R — 1), t(R), t'(R + 1)) that is 
e-threat-free on R+ 1). However, since we chose a maximal t' (up to e), there is no e-threat 
at round R + 1 either. Thus tt is e-threat-free on R. M 



5 The Computational Setting 

In the following we explain how to use the notion of TFNE for cryptographic protocols. In 
Section 15.11 we describe how to view a cryptographic protocol as a sequence of extensive 
games. In Section 15.21 we show how to translate the behavior of an interactive TM to a 
sequence of strategies. In Section 15.31 we show how to express computational hardness in 
a game-theoretic setting. Finally, in Section 15.41 we give our definition of computational 
TFNE. 

5.1 Protocols as Sequences of Games 

When placing cryptographic protocols in the framework of extensive games, the possible 
messages of players in a protocol correspond to the available actions in the game tree, and 
the prescribed instructions correspond to a strategy in the game. 

The protocol is parameterized by a security parameter k £ N. The set of possible 
messages in the protocol, as well as its prescribed instructions, typically depend on this k. 
Assigning for each k and each party a payoff for every outcome, a protocol naturally induces 
a sequence 

r (fc) = (H( k ),P( k \A( k \uW) of extensive games, where: 

• is the set of possible transcripts of the protocol (sequences of messages exchanged 
between the parties). A history h £ iJW is terminal if the prescribed instructions of 
the protocol instruct the player whose turn it is to play next to halt on input h. 

• p( fc ) : (H^ \ Z^) — > {1,2} is a function that assigns a "next" player to every 
non-terminal history. 

is a function that assigns to every non-terminal history h £ \ a set 
A^ k \h) = {m : (h o m) £ H^} of possible protocol messages to player 

• = (tij ,1*2^) is a vector of payoff functions : Z^ — > IR. 

4 We can interpret "disallowed" messages in the protocol as abort, and define "abort" as a possible protocol 
message. This will imply that every execution of the protocol corresponds to some history in the game. 
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A sequence T = {T^y^^n of games defined as above is referred to as a computational game. 

Remark 5.1 In the following we will consider games played by Turing machines. Thus, 
actions will be represented by strings. As opposed to traditional game theory, where players 
are computationally unbounded, in our case the names of the actions will be significant. 
For example, in the One-way Permutation Game, if we encode player l's action f(x) by 
the string x for every x € {0, l} k , then inverting the one-way permutation becomes easy for 
player 2. However, to avoid too much notation, we will identify actions with their string 
representation. The reader should keep in mind, however, that actions are always strings, 
and that changing the string representation of actions might be with loss of generality. 

5.2 Strategic Representation of Interactive Machines 

Protocols are defined in terms of interactive Turing machines (ITMs) - see [8] for a formal 
definition. More specifically, the prescribed behavior for each player is defined via an ITM, 
and any possible deviation of this player corresponds to choosing a different ITM. In order 
to argue about the protocol in a game-theoretic manner we formalize, using game-theoretic 
notions, the strategic behavior implied by ITMs. We believe this formalization is necessary 
for our treatment or any game-theoretic analysis of ITMs, in particular because, to the best 
of our knowledge, it has never been done before. However, because this section somewhat 
departs from the main thrust of the paper, the reader may skip to Section 15.31 keeping 
the following (informally stated) conclusion in mind: The strategic behavior of an ITM for 
player i in a protocol may be seen as a collection of independent distributions on actions, 
one for each of player i's histories that are reached with positive probability given the ITM 
of player i and some strategy profile of the other players. We refer to this collection as the 
behavioral reduced strategy induced by the ITM. 

When considering some computational game in a sequence T = {T^}^^ and an 
ITM "playing" this game (with input l k ), the machine does not, strictly speaking, define 
a strategy. Informally, the machine specifies how to play only on histories that are not 
inconsistent with the specification on earlier histories in the game. That is, an ITM for 
player i specifies distributions on actions for all histories on which it is player i's turn, 
except those it cannot reach based on its own specification on earlier histories. This is the 
case, because when fixing the other player's moves, the distribution on actions the machine 
plays on a history that cannot be reached is simply undefined, as we are conditioning on 
an event with probability 0. In the following, we show that the prescribed behavior of an 
ITM can be seen as a convex combination of reduced strategies (which we call mixed reduced 
strategy), to be defined next. We then define the natural analogue of behavioral reduced 
strategy, and argue that for every mixed reduced strategy there exists a behavioral reduced 
strategy that is outcome-equivalent. We will eventually use behavioral reduced strategies 
to describe the behavior induced by ITMs. 

Definition 5.2 (Reduced strategy (adapted from |27J)) Given a gameT = (H, P, A,u), 
a (pure) reduced strategy for player i is a function Oi whose domain is a subset of {h € 
H\P(h) = i] with the following properties: 

• For every h in the domain of at it holds that Oi{h) £ A(h). 
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• h = (ai, . . . , a m ) is in the domain of cxj if and only if for any 1 < £ < m — 1 such that 
P(a\, . . . , ai) = i it holds that (01, . . . , ag) is in the domain of o~i and o"j(ai, . . . , a^) = 

Definition 5.3 (Mixed reduced strategy) A mixed reduced strategy for player i is a 
distribution over reduced strategies for player i. 

Given an ITM for , for every instance of internal randomness for that machine (i.e., 
a vector of coins), the induced behavior of that ITM is exactly a reduced strategy. This is 
the case because for every profile of pure strategies (or reduced pure strategies) of the other 
players, the randomness naturally defines an action for every history that is consistent with 
its previous actions (the sequence of these actions, together with the profile, defines the 
outcome of the game), and on the other hand, naturally the randomness does not define an 
action for histories that are not consistent with that randomness (as with that randomness 
the machine will never reach these histories). It follows that an ITM defines a distribution 
over reduced (pure) strategies, i.e., a mixed reduced strategy. We now formalize this claim. 

Definition 5.4 (Induced mixed reduced strategy of an ITM) Let M be a probabilis- 
tic ITM for player i in the extensive game T. Assume that M halts for any infinite vector 
of coins and any sequence of messages sent by the other players, and let t be a bound on the 
number of coins it reads. Let r be a (sufficiently long) coin vector for M . Then the induced 

(r) 

pure reduced strategy <7 4 - of M with randomness r is defined as follows: 

• h = (ai, . . . ,a m ) is in the domain of <r| if and only if: 

- P(ai, . . . ,a m ) = i; 

— For any 1 < £ < m — 1 such that P(a±, . . . , ai) = i it holds that (ai, . . . , ai) is in 

(r) 

the domain of a ■ and when M with randomness r participates in an interaction, 
conditioned on the sequence of sent messages being (ai, . . . , ai) (where a£ + i is a 
message sent by the ITM representing player P{a\, . . . , ai) for any 1 < £ < m—1), 
the message sent by M is a^+iH 

• For any h = (ai,...,o m ) in the domain of of , the action er- (oi, • • • , a m ) is the 
message sent by M with randomness r conditioned on the sequence of sent messages 
being (ai, . . . ,a m ). 

The mixed reduced strategy induced by M is now defined as follows: the probability 
assigned to any pure reduced strategy a is the probability that the induced reduced strategy 
of M with randomness r is a, where r is uniformly chosen from Ut- 

In |27j it is shown that for perfect-recall extensive games (which are the only games 
we will consider here), every mixed strategy has a behavioral strategy that is outcome 
equivalent. (Two strategies are outcome-equivalent if for every profile of pure strategies of 
the other players the two strategies induce the same distribution on outcomes; A mixed 

5 For completeness, we may assume that whenever M outputs on history h an action that is not in A(h), 
we interpret it as abort, which is denoted in the induced game by _L and is always a legal action. 
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strategy is a distribution on pure strategies). Next, we define the behavioral analogue of a 
mixed reduced strategy, and argue that the same holds for mixed and behavioral reduced 
strategies: For perfect-recall extensive games, every mixed reduced strategy has a behavioral 
reduced strategy that is outcome equivalent. 

Definition 5.5 (Behavioral reduced strategy) Given a game T = (H,P,A,u), a be- 
havioral reduced strategy for player i is a collection 0% = (o~i(h)) h€ ^ of independent proba- 
bility measures, where H is a subset of {h £ H\P(h) = i}, with the following properties: 

• o~i{h) is a probability measure over A{h) for every h in T-L. 

• h = (ax, . . . , a m ) is in H if and only if for any 1 < £ < m—1 such that P(ai, . . . , ai) = i 
it holds that (ai, . . . , ) € % and o~i(a\, . . . , a^){a£ + \) > 0. 

Claim 5.6 Every mixed reduced strategy has a behavioral reduced strategy that is outcome 
equivalent. 

Proof Sketch: Every pure reduced strategy <7j for player i can be extended to a (full) 
pure strategy by assigning arbitrary values to all histories in {h : P(h) = 1} for which cTj is 
undefined. The two strategies will be outcome-equivalent, as the outcome is only affected by 
the consistent histories of cij. It follows that every mixed reduced strategy can be extended 
to a mixed (full) strategy that is outcome-equivalent. 

On the other hand, every behavioral strategy o~i = (o-i(h)) h . p ^ =i can be restricted to a 
behavioral reduced strategy by restricting the collection of probability measures accordingly. 
Again, the two strategies will be outcome-equivalent, as the distribution on outcomes is only 
affected by the consistent histories of <Tj. 

Finally, as mentioned above, in [27] it is shown that for perfect-recall extensive games, 
every mixed strategy has a behavioral strategy that is outcome equivalent. 

Thus, given some mixed reduced strategy we extended it to a mixed strategy that is 
outcome-equivalent, then transform it to a behavioral strategy that is outcome-equivalent, 
and finally we restrict the resulting behavioral strategy to an outcome-equivalent behavioral 
reduced strategy. □ 

As argued above, ITMs induce mixed reduced strategies, and by Claim l5"U| these induce 
behavioral reduced strategies. Thus, in the following we will model ITMs by behavioral 
reduced strategies. This is captured by the notion of strategic representation. 

Definition 5.7 (Strategic representation of an ITM) Let T be a game and let i € 
{1, 2}. Let M be an ITM for player i. Assume that M halts for any infinite vector of coins 
and any sequence of messages sent by the other players. Let a be the mixed reduced strategy 
induced by M . Then the strategic representation of M is the behavioral reduced strategy 
that is outcome- equivalent to <t|j 

Similarly, for a sequence of games {T^j^gpij and an ITM M that takes a security pa- 
rameter l k , the strategic representation of M is the sequence of strategic representations of 
M(1),M(1 2 ),M(1 3 ),... . 

6 In certain games there may be more than one behavioral reduced strategy that is outcome-equivalent 
to a. However, our treatment will always be indifferent to the actual choice. 
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5.2.1 e-TFNE for Reduced Strategies 

In Section 14.31 we presented our general definition of TFNE. However, that definition was 
framed for strategies and, following the conclusion of the previous section, we actually care 
about reduced strategies. To make Definition 14.51 work for reduced strategies we notice that 
only two small changes need to be made: We need to define the notion of a round R reduced 
strategy, and we need to allow the constraint sets T\ and T2 to include behavioral reduced 
strategies. 

Definition 5.8 (Round R reduced strategy) LetT = (H, P, A,u) be an extensive game, 
let R be a round ofT, and let o"j be a behavioral reduced strategy of player i = P(R). Then 
t = t(R) is a round R reduced strategy of player i consistent with Ui if the following hold: 

• When R = 1, r(l) is a distribution over A(e). 

• Otherwise, there exists some behavioral reduced strategy 7T, of player i for which n^j) = 

f or a tt j £ {1, • • • ,R—1}, and such that TTi(R) = Tj(-R). 

Throughout the paper, the behavioral reduced strategy Oi with which t(R) is consistent 
will be evident from the context, and so we omit reference to this consistency requirement. 

Next, we modify the definition of constraints (Definition [3]6]) by allowing each constraint 
set Ti to be a subset of 0/i-p(/ l )=i(^'i(^)U -L)> where cri(h) =_L if the history h is not in the 
domain of the reduced strategy 0{. 

Finally, we observe that, following the two modifications above, Definitions 14.41 and 14.51 
work for behavioral reduced strategies as well (replacing "strategy" by "behavioral reduced 
strategy" and "round R strategy" by "round R reduced strategy"). 

5.3 Computational Hardness in the Game-Theoretic Setting 

The security of cryptographic protocols stems from the assumption on the limitation of the 
computational power of the players. In our strategic analysis of games, we also expect to 
deduce the (sequential) equilibrium from this limitation. However, because protocols are 
parameterized by a security parameter, a strategic analysis of protocols requires dealing 
with a sequence of games rather than a single game. While relating to the sequence of 
games is crucial in order to express computational hardness (as this hardness is defined in 
an asymptotic manner), this raises a new difficulty: How do we extend the definition of 
TFNE to sequences of games? 

An appealing approach might be to try to define empty threats for sequences of games. 
That is, one might consider the effect of deviations on the expected payoff as k goes to infin- 
ity (much like the derivation of CNE from NE). However, to the best of our understanding 
this approach cannot work. Loosely speaking, this is because in order to relate to empty 
threats one has to consider deviations in internal nodes of the game tree, and it is not clear 
how to define such deviations for sequences of games. Typically, the structure of the game 
tree changes with k, so it is not clear even how to define an "internal node" in a sequence 
of games. 

Instead, our approach insists on analyzing empty threats for individual games. Thus, 
our solution concept reflects a hybrid approach that relates to a protocol both as a fam- 
ily of individual, extensive games and as a sequence of normal-form games. To eliminate 
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empty threats one must relate to the interactive aspect of each individual game (as this 
is the setting where threats are defined). In order to claim players are playing optimally 
under their computational constraints, one must think of the protocol as a sequence of one- 
shot games (because computational hardness is meaningful only when players are required 
to choose their machines in advance, and as the traditional notion of hardness is stated 
asymptotically) . 

5.3.1 Strategy-filters 

When considering computational games T = {T^jkeN, the computational bounds on the 
players will be expressed by restricting the space of available strategies for the players. The 
available sequences of reduced strategies for the players will be exactly those that can be 
played by the ITMs that meet the computational bound on the players. In our case we will 
consider PPT ITMs. 

While on the one hand every PPT ITM fails on cryptographic challenges for large enough 
values of the security parameter k (under appropriate assumptions), on the other hand, PPT 
ITMs can have arbitrarily large size and thus arbitrarily much information hardwired, and 
so for every k there is a PPT ITM that breaks the cryptographic challenges with security 
parameter k. In our analysis, we would like to "filter" machines according to their ability 
to break cryptographic challenges for specific fc's, and allow using them only in games that 
correspond to large enough k's, where these machines fail (and in particular, cannot use 
hard-wiring to solve the cryptographic challenges) . 

To this end, we define the notion of a strategy-filter. For each value k of the security 
parameter and value e, a strategy-filter maps the ITM M to either _L or to its strategic 
representation, according to whether M(l k ) violates level of security e or does not (respec- 
tively) . 

Definition 5.9 (Strategy- filter) Let T = {T^}^^ be a computational game and let i be 
a player. A strategy-filter is a sequence Fi = {F- k ^ : A4 x [0, 1] — > U {±}}& g p} such that 
for every ITM M, every k € N and every e £ [0, 1], it holds that either F^\m,e) = _L, or 
F^ k \M,e) = <Tj. k \ where o~f^ is the strategic representation of the machine M(l fc ,-). 

A strategy-filter is meaningful if it allows us to reason about all reduced strategies that 
are considered to be feasible, in our case PPT implementable reduced strategies, and in 
particular does not filter them out. This is captured in the following definition. 

Definition 5.10 (PPT-covering filter) A strategy-filter Fi is said to be PPT-covering if 

for every PPT ITM M and any positive polynomial p{-) there exists k$ such that for all 
k>k , it holds that F^ k) (M, l/p{k)) + _L. 

Typically, protocols have the following security guarantee (under computational assump- 
tions): for every i, every PPT ITM M of Pi and every polynomial p(-), there exists ko such 
that for any k > ko, the ITM M does not break level of security l/p(k) in the protocol with 
security parameter k. Such a protocol will naturally have a PPT-covering filter, where if 
F^ (M, e) 7^ A. then the reduced strategy F- k ^ (M, e) "does not break level of security e in 
the game r^." 
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5.3.2 Tractable Reduced Strategies 

As reflected above, the asymptotic nature of denning security does not determine any level 
of security for any k. Rather, it dictates that any PPT ITM "eventually fails in violating 
l/p(k) security" for any p(-) (where "eventually" means for large enough k). Thus, we 
follow the same approach in our game theoretic analysis: roughly speaking, our solution 
concept requires that e-security will imply e-stability for any k (rather than requiring a 
particular level of stability for each k). More formally, we require that for any k and any e, 
the game induced by the protocol with security parameter k be in e-TFNE, given that the 
available strategies for the players are those that do not break level of security e. Thus, for 
any pair (k, e) we will consider the game with available reduced strategies restricted 
to those that guarantee e-security. The following definition derives from a PPT-covering 
filter, for each such game, the set of available reduced strategies for each player. 

Definition 5.11 (Tractable reduced strategies) Let Fi be a PPT-covering filter. For 
every k G N and e € [0, 1] we define the set T^(Fi) of (k, e)-tractable reduced strategies for 
player i G {1, 2} as 

{Fj; k) (M,e)\M is a PPT ITM and F^\m,e) ^ _L}. 

(k) (k) 

Whenever Fi will be understood from the context, we will write T£ ' to mean T£ {Fi). 
5.4 Computational TFNE 

We can now define our computational variant of TFNE. Roughly, the definition requires 
that there exist a family of PPT compatible constraints such that for any k and any e, the 
strategies played by the machines on input security parameter k are in e-TFNE in the game 
indexed by (/c, e). 

Definition 5.12 (Computational TFNE) Let T be a computational game. A pair of 
PPT machines (Mi,M 2 ) is said to be in a computational threat-free Nash equilibrium 
(CTFNE) ofT if there exists a pair of PPT-covering filters (Fi,F 2 ) such that for every k,e 
for which F[ k) {M U £) and F 2 {k) {M 2 ,e) are tractable the profile (F^ k) (M 1 , e), F 2 (k) (M 2 , e)) 
constitutes an e-TFNE in the (T^ , )- constrained version ofT^ k K 

The expressive power of Definition 15. 121 is illustrated through the following claim, which 
refers to Example 11.21 We omit the proof, and proceed to more interesting applications in 
sections [6] and [71 

Claim 5.13 In the modified one-way permutation game, 

(i) the strategy profile in which P\ plays and P 2 plays after a history of and randomly 
otherwise is a CTFNE, and 

(ii) any profile in which P 2 plays randomly after history is not a CTFNE. 

We note that part (ii) of the claim can easily be extended to profiles in which, after 
history 0, P 2 plays with probability at most 1 — p(k) for any polynomial p. 
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6 The Coin-Flipping Game 



In the following we describe a classic protocol for coin-flipping, formulated as a sequence 
of games (parameterized by a security parameter k). We then show that the prescribed 
behavior according to that protocol constitutes a CTFNE in the sequence of games. 

Following is an informal description of the sequence of games. We assume some perfectly 
binding commitment scheme with the following properties (see Appendix [A] for a formal 
definition): 

• For any security parameter k (which is a common input to the sender and receiver), 
the "commit" phase consists of one message from the sender to the receiver, denoted 
com^, which is of length bounded by p{k) for some polynomial p. 

• For any PPT ITM, the advantage in guessing the committed value given the afore- 
mentioned message is negligible in k. 

The description defines the legal messages in each game. Recall that at any phase where a 
player is supposed to send a message, the move "abort" is legal (and well-defined). Note 
also, that any illegal message is interpreted as abort by the other player. The game is 
defined as follows: 

1. Player 1 chooses a string c of length at most p(k) and sends it to player 2. 

2. Player 2 chooses a bit r2, and sends T2 to player 1. 

3. Player 1 does one of the following: (1) sends to player 2 decom, where decom is a legal 
decommitment to c revealing that the committed value was 1 — r2 (in that case the 
payoffs are (1,0)); or (2) aborts (in that case the payoffs are (0,1)). 

Any other abort results in the aborting player receiving payoff 0, and the other player 
receiving 1. 

We now describe a pair of interactive ITMs for the game that form a CTFNE. 
We describe them interleaved, in the form of a protocol. We denote the ITMs playing the 
strategies of P\ , P2 by Mi , M2 , respectively. 

1. Player 1 chooses a random bit n, and sends c = com( fc )(ri) to player 2 (player 1 also 
obtains decom, which is a legal decommitment to c). 

2. Player 2 chooses a random bit r-z, and sends T2 to player 1. 

3. If T\ 7^ T2, player 1 sends decom to player 2. Else, player 1 aborts. 

Theorem 6.1 The pair (M\,M%) forms a CTFNE for the protocol above. 

(k) (k) (k) 

Proof: First we define the functions F± and F 2 ■ For any k, the function F^ never 
maps to _L (this, roughly speaking, reflects the fact that the protocol is secure against an 
all-powerful player 1). For F2 we use the following rule: F^\m,e) = _L if and only if 
"for security parameter k, the PPT ITM M guesses the committed value with advantage 
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greater than e." More formally, F 2 (M, e) = _L if and only if when player 1 sends as the first 
message a random commitment of a random bit (i.e., chooses a random bit and then uses the 
aforementioned commitment scheme using uniformly random coins), then the message with 
which M reacts is the committed value of player 1 with probability greater than 1/2 + s. 

The fact that F\ is PPT-covering is straightforward. The fact that F 2 is PPT covering 
follows directly from the security of the commitment scheme: For any positive polynomial 
p, every PPT ITM has advantage smaller than l/p(k) in guessing the committed value with 
security parameter k, for large enough fc's. 

Next, we need to show that for every k,e for which F^ k \Mi,e) and f£°\M2,£) /± 

the profile (pf^Mi, e), F 2 {k) (M 2 , e)) constitutes an e-TFNE in the T = (T-fJ , t!$ )-constrained 

version of T^. Let k,e be as above, and let a = (<7i,<7 2 ) = {F[ k) {M l , e), F 2 {k) (M 2 , e)). We 
first show that a constitutes an e-NE in the T-constrained version of T^ k \ 

The strategy o\ chooses a random commitment of a random bit in round 1, and in 
round 3 decommits whenever it can. It is easy to see that this is optimal, as player 2 always 
guesses the committed value with probability 1/2, and so there is no strategy for player 1 
for which he can decommit with probability greater than 1/2 in round 3. It is also easy 
to see that player 2's strategy is an e best-response, as any PPT ITM M 2 for player 2 for 
which F (k) (M 2 ,e) jL± does not guess with advantage more than e. We conclude that a 
constitutes an e-NE in the T-constrained version of the game r( fc ). 

Next, we show that no player is facing an e-threat with respect to a at any round of the 
T-constrained version of r( fe ). Note that for both players, the expected payoff according to 
a is 1/2. Suppose some player is facing an e-threat with respect to a. We divide the proof 
into cases. 

Case 1 — Pi is facing an e-threat in round 3: In order for Pi to improve in Step 3 
by more than e, it must play a round 3 strategy r(3) in which he sends decom that proves 
that r\ 7^ r 2 with larger probability than in a. However, since in a player 1 sends decom 
whenever n 7^ r 2 (and otherwise no such decom exists, since the commitment is perfectly 
binding), we conclude that no such r(3) exists. 

Case 2 — P 2 is facing an e-threat in round 2: According to the constraints, P 2 cannot 
guess n with probability greater than 1/2 + e. So in order for him to improve by more than 
e, it must be the case that he has some round 2 strategy r(2), such that in any e-threat-free 
continuation in Cont(<r(l), r(2)) player 1 aborts with positive probability conditioned on 
r\ / r 2 . However, any continuation where Pi aborts with zero probability conditioned on 
T\ 7^ r 2 (and sends decom) is e-threat-free, and so there is no deviation for P 2 for which he 
improves on all e-threat-free continuation. 

Case 3 — Pi is facing an e-threat in round 1: Since a is e-threat-free on round 1, if 
Pi is threatened in round 1 then he has a round 1 strategy r(l) so that for all e-threat- 
free profiles in Cont(r(l)) his expected payoff is greater than 1/2 + e. Consider the profile 
a' = (t(1), <t(2), c(3)). This profile gives both players an expected payoff of 1/2 (assuming 
t(1) aborts with probability 0, which is clearly optimal), and is e-threat-free on round 2 
(by the same argument as Case 1 above). If a' is e-threat-free on round 1 as well, then 
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Pi does not improve by more than e using the deviation r(l). If a' is not e-threat-free on 
round 1, then in any e-threat-free profile in Cont(r(l)) player 2's payoff must be greater 
than 1/2 + e. However, this means that Pi's payoff is less than 1/2, and again he does not 
improve using the deviation r(l). Hence, the postulated r(l) does not exist, and so Pi is 
not facing an e-threat in round 1. H 

7 Correlated Equilibria Without a Mediator 

In one of the first papers to consider the intersection of game theory and cryptography, 
Dodis, Halevi and Rabin proposed an appealing methodology for implementing a correlated 
equilibrium in a 2-player normal- form game without making use of a mediator Under 
standard hardness assumptions, they showed that for any 2-player normal- form game T 
and any correlated equilibrium a for T, there exists a new 2-player extensive "extended 
game" T' and a CNE a' for V, such that a and a' achieve the same payoff's for the players. 
(Strictly speaking T' is a sequence of games indexed by a security parameter, and a CNE 
is defined for a sequence.) However, as already pointed out by Dodis et al., their protocol 
lacks a satisfactory analysis of its sequential nature - the resulting "extended game" is an 
extensive game, but the solution concept they use, CNE, is not strong enough for these 
games. 

In the following, we extend the definition of CTFNE to allow handling this setting (that 
is, we define CTFNE for extensive games with simultaneous moves at the leaves), give 
some justification for our new definition, and then provide a new protocol for removing 
the mediator that achieves CTFNE in a wide class of correlated equilibria that are in the 
convex hull of Nash equilibria (see definition below). 

7.1 The Dodis-Halevi-Rabin Protocol 

The "extended game" V consists of 2 phases. In the first phase ("preamble phase"), the 
players execute a protocol for sampling a pair under the distribution a, and in the second 
phase each player plays the action implied by the sampled pair, in the original normal- form 
game. The CNE of the extended game is the profile that consists of each player playing 
the protocol honestly in the first phase, and then in the second phase, if the other player 
did not abort, choosing the action by the protocol's result, and otherwise "punishing" the 
other player by choosing a "min-max" action (i.e., choosing an action minimizing the utility 
resulting from the other player's best response). 

This profile is indeed a CNE because an efficient player can achieve only a negligible 
advantage by trying to break the cryptography in the first phase, cannot achieve any advan- 
tage by aborting in the first phase (as this minimizes its best possible move in the second 
phase), and cannot gain any advantage in the expectation of the payoff by deviating in the 
second phase, because the players are playing a pair of actions from a correlated equilibrium. 

7.2 TFNE for Games with Simultaneous Moves at the Leaves 

The definition of an extensive game with simultaneous moves is similar to the definition 
of an ordinary extensive game. The main difference is that now the function P maps to 
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(nonempty) sets of players rather than to single players. The definition of history is then 
changed to a sequence of sets of actions rather than a sequence of actions, and the definitions 
of a strategy and a payoff function are both also changed accordingly. For a formal definition 
see Osborne and Rubinstein |27l. 




In order to adjust our definition for extensive games with simultaneous moves, we notice 
that when a player deviates on a history with a simultaneous move, he cannot expect the 
other to react to this deviation (because they both play at the same time). However, in order 
to argue that a profile is rational, we still need to require that for every simultaneous move 
in the equilibrium support, each player is playing a "best response" given the other player's 
prescribed behavior. This means the prescribed behavior for the players should form some 
kind of equilibrium for normal-form games. In our case, the prescribed behavior will form 
a NE. The question of what should a CTFNE profile prescribe in off-equilibrium-support 
histories is more delicate: Clearly, in order to claim that the profile is "rational," again 
we need some kind of equilibrium for normal- form games. In our case the only deviation 
will be prematurely aborting without completing the preamble phase, which leads to the 
original normal- form game without agreeing on a sampled pair. In this case one can argue 
that after one player aborted, the other (non-aborting) player cannot assume the aborting 
player will play his prescribed behavior in the simultaneous move (as he is already not 
following his prescribed behavior). However, we argue that it is in fact still rational to 
assume the aborting player will play his prescribed behavior. The justification for this 
claim is essentially the same as the justification for the rationality of NE. Once there is a 
prescribed behavior that is a NE, each player knows the other has no incentive to deviate, 
and so he also has no incentive to deviate. The essential difference between a deviation 
in an extensive game and a deviation in a simultaneous move, is that in the former, once 
a player deviated, the other player is facing a fact. He now has to readjust his behavior 
according to this deviation. However, in the latter, there is no point for a player to deviate 
from the prescribed NE, because the other player will not know about this deviation prior 
to choosing his move (if at all). Thus, for terminal leaves that are off-equilibrium-support 
(i.e., in the original normal- form game that follows an abort of some player), we claim it is 
sufficient for a CTFNE to prescribe a NE as well. 

The bottom line of this discussion is that players cannot assume other players will 
deviate from any prescribed NE in any terminal leaf. Thus, our new definition of TFNE for 
extensive games with simultaneous moves at the leaves (abbreviated GSML) is essentially 
the same as the original definition, except that (i) we require a profile in TFNE to prescribe 
a NE in any terminal leaf, and (ii) in the definition of a threat we do not allow a player 
to assume the other will deviate from his strategy in any NE at a terminal leaf. In order 
to formally modify our definition of TFNE to achieve (ii), essentially we would need to 
define the only threat-free continuation on a leaf to be the one that assigns to the players 
the actions in the prescribed NE (which expresses the idea that a player is not allowed to 
assume the other will deviate from his strategy in any NE). 

However, we adopt an equivalent, simpler convention. Given a GSML T and a profile 
a that assigns a NE at every simultaneous move, we look at a slightly modified game V: 
All simultaneous moves are removed, and instead at each leaf where a simultaneous move 
was removed each player is assigned his expected payoff in the corresponding NE for that 
leaf. Note that the modified game is now a regular extensive game with no simultaneous 
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moves. We then "prune" the strategy profile to remove all the distributions on actions on 
all simultaneous leaves and denote the resulting profile a'. We say that a is a TFNE in T 
if a' is a TFNE in T'. We call V and a' the pruned representation of T and a. 

The definition of CTFNE for GSML is derived from the above definition of TFNE for 
GSML, similarly to the derivation of CTFNE from TFNE in the non-simultaneous case. 

A note on the strength of our definition It seems that for general GSMLs our 
definition is too strong. The reason is that in certain cases it is computationally intractable 
for the players to play the prescribed NE in every leaf (it is easy to construct simple 
sequences of games where one cannot assign tractable Nash equilibria at all leaves). While 
we do not yet know how to relax our definition to apply to these cases, we believe our 
definition, when met, is sufficient. 

7.3 Our Protocol 

For a non-trivial class of correlated equilibria, we show how to modify the DHR protocol 
to achieve CTFNE. Our basic idea is to use Nash equilibria as "punishments" for aborting 
players. That is, if there is a NE that assigns to a player a payoff at most his expected payoff 
when not aborting, then assigning this NE in case he aborts serves as a punishment and 
yields that the player has no incentive to abort. In the following we characterize a family 
of correlated equilibria for which we can use the aforementioned punishing technique, and 
prove that for this family we can remove the mediator while achieving CTFNE. 

We say that a correlated equilibrium ir is a convex combination of Nash equilibria if ir 
is induced by a distribution on (possibly mixed) Nash equilibria. (The set of such distri- 
butions is sometimes referred to as the convex hull of Nash equilibria.) Note that any such 
distribution is a correlated equilibrium (CE), but the converse is not true. 

Let 7r be a correlated equilibrium for a two-player game T that is a convex combination 
of a set N of NEs. We say that it is weakly Pareto optimal if there does not exist a 
different CE p in the convex hull of N for which both E[«i (O(p))] > E[ui(0(tt))] and 
E[u 2 (0(p))] > eMO(tt))]. 

We say that a distribution is samplable if there exists a probabilistic TM that halts on 
every infinite randomness vector, and can sample it. This is equivalent to requiring that all 
probabilities can be expressed in binary (assuming we work over {0,1}). Note that every 
distribution can be approximated arbitrarily accurately by a samplabale distribution. 

Theorem 7.1 Assume there exists a non-interactive computationally binding commitment 
scheme. Let tt be a weakly Pareto optimal correlated equilibrium for a two-player game V 
that is a samplable convex combination II of some set of samplable Nash equilibria. Then 
there exists an extended extensive game and a profile that achieves the same expected payoffs 
as it and is a CTFNE. 

Proof: Since II is samplable, the common denominator of all probabilities in II is a 
power of two. Thus, we can assume II is a uniform distribution on a sequence of Nash 
equilibria that may contain repetitions, where the length of the sequence is a power of two. 
Let 2 e be the length of that sequence, and let (7r e, . . . ,7r^) be that sequence. Note that 
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the distribution tt can now be generated by first choosing uniformly at random a string r 
in {0, 1}^, and then choosing a pair of actions according to ir r . 

Let a % be the NE that assigns the worst payoff for Pi (this value represents the "severest 
punishment" for player %). 

Our protocol embeds a 2-party string sampling protocol, which is a simple generaliza- 
tion of the Blum coin flipping protocol [5]. The protocol consists of simply running the 
Blum protocol in parallel for a fixed number of times. This protocol, in turn, relies on a 
perfectly binding commitment scheme as in Section [U whose formal definition can be found 
in Appendix [Al 

As in Section [U we describe the two ITMs that form the protocol in an interleaved 
manner. We denote the ITMs playing the strategies of Pi,P% by Mi,M2, respectively. 

• Round 1: Player 1 chooses uniformly at random a string r = (n, . . . ,r^) from {0, 
and sends c = (c\ = com( fe )(ri), ... ,cg = com( fc )(r^)) to player 2 (player 1 also obtains 
(decomi, . . . , decorn^), where decorrij is a legal decommitment with respect to Cj and 

n). 

• Round 2: If player 1 aborted, the assigned NE is a 1 . Else, player 2 chooses a uniformly 
random string r' = (r[, . . . , r^) from {0, 1}^, and sends r' to player 1. 

• Round 3: If player 2 aborted, the assigned NE is a 2 . Else, player 1 sends the message 
((n, decomi), . . . , (r e , decom^)). 

• If player 1 aborted, the assigned NE is a 1 . Else, player 2 verifies that decora; is a legal 
decommitment with respect to Cj and for 1 < i < I. If the verification fails (which 
is equivalent to an abort of player 1, as it means player 1 sent an illegal message), the 
assigned NE is a . Else, the assigned NE is TT r ®r' (where © is bitwise exclusive-or) . 

Lemma 7.2 The pair (Mi,M2) forms a CTFNE for the protocol above. 

Proof: Let {f( fc )} fceN be the sequence of games induced by the protocol. Denote the 
pruned representation of f( fc ) by r^. Let a[ k \a^ be the strategies of P\,P2 in the 

(ft) (k) 

protocol with security parameter k, and let a\ ,a 2 he their pruned representations. Let 
a (k) = (o-W^W). We prove t hat {crW} is a CTFNE in {T^ k) }, which, by the discussion of 
Section ESI implies that {a^} is a CTFNE in {f^}. 

(k) (k) (k) 

First we define the functions F± and F 2 ■ For any k, the function F^ never maps to 
_L (this, roughly speaking, reflects the fact that the protocol is secure against an all-powerful 
player 1, which follows from the perfect binding property of the commitment scheme). For 
F2 we use the following rule: (M, e) = _L if and only if 

E[u?(0(a[ h \a^))} > E[u?(0(a^))] + e, (1) 

where o~j$ is the strategic representation of machine M and a[ k ^ is the strategic representa- 
tion of machine Mi, both with security parameter k. In other words, P2 cannot unilaterally 
e-improve in the (T^} , T2 ^-constrained version of r( fc ). 

The fact that F\ is PPT-covering is straightforward. The fact that F2 is PPT covering 
follows from the security of the commitment scheme, as we prove next. 
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Claim 7.3 The strategy-filter F2 is PPT-covering. 



Proof: Suppose F2 is not PPT-covering. Then from (pQ) there is a PPT ITM M 
and a polynomial p such that 

E[u?(0(a{ k \a$))\ > E[u? (0(a[ k \ *<*>))] + !/„(*) (2) 

(k) 

for infinitely many k's, where a M is the strategic representation of the machine M 
with security parameter k. 

First, we show that we can assume M does not abort in round 2. An abort of P2 
leads to a leaf with a 2 . But since tt is a convex combination of NEs, following the 
protocol would mean playing a NE. Since by definition a 2 is the worst NE for player 2, 
it follows that the machine M 1 that behaves the same as M, but whenever M aborts, 

M' instead follows the protocol (i.e. acts like M2) does at least as well as M. The 

(k) 

machine M is well-defined, as the reduced strategy a 2 is in fact a full strategy, and 
is defined everywhere 

Since the payoffs in {r( fc )} are bounded in k and the number of NEs in ir is fixed in k, 
by © there exists a polynomial p and (at least one) s S {0, l} e such that for infinitely 
many k's 

Pi[0(a[ h \ *$) = ir s ] - Pr[0(a[ k \4 k) ) = n s ] > l/p(k). 
It follows that for infinitely many A:'s 

Pr \r®r' = s] - Pr \r © r' = s] > l/p(k). (3) 



Claim 7.4 There exists a polynomial q such that for each k satisfying there exists 
some i S {1, ...,£} for which 

Pr [n © r[ = 8i\rj © ri = s,- Vj < i] - 1/2 > (4) 

Proof: We show that the claim holds with q(k) = 2 l -p(k). Let k be such that 
([3|) holds, and suppose towards a contradiction that dH) does not hold for any 

7 Note that we assume here that there exists such PPT ITM M' . This may not always be the case. One 
reason is that sometimes detecting with probability 1 whether M aborted cannot be done in polynomial 
time (or at all). The reason is that any illegal message is regarded as abort, but sometimes a party cannot 
"know" whether its message is illegal or not. See [3], Section 6.3 for an example. Another reason could be 
that in order to "emulate" M2, the machine M' needs to be in some internal state. We note, however, that 
in our case neither problem occurs. 
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i G {!,...,£}. Then 



Pr \r © r' = s] — Pr \r © r = si 

= Pr fri © ri = ail • Pr fr2 © r' 2 = S2W1 © t*i = sil • • • • 

Pr [rv © r » = s*|r,- © r' = s,- V? < £} — Pr [r © r' = s] 

i 1 V 1 
< ( ^ + 



< 



2 / 2 l 

2 l 1 



g(fc) p(fc) 



The first inequality holds since the distribution on r © r' in (a[ , ) is uni- 
form on {0,1} . The second inequality follows from the observation that in 
(1/2 + l/q(k)) we are summing over 2 e terms, one equal to 1/2^ and the others 
strictly smaller than l/q(k). Thus, we get a contradiction to (J3j) - B 

Since there are infinitely many /c's for which (133) holds, and because £ is fixed, there 
must exist some i € {1, ...,£} for which @ holds infinitely often. This, however, 
yields a PPT machine A that breaks the hiding property of the commitment scheme: 
Given a commitment c = com( fc )(r) for a uniformly chosen random bit r, the machine 
A chooses uniformly at random a string (n, . . . , ?■»_ i, rj+i, . . . ,rg) from {0, l}^ -1 , and 
runs M on 

(ci =com (fc) (ri),...,Q_i =com w (ri_i),c 3 Ci + i = com (fc) (r i+ i), . . . , c e = com (fe) (r £ )) 

to get output r'. Then, if Tj © r'- = Sj Vj < i, algorithm A outputs s, © r-, and 
otherwise A outputs a uniformly random bit. Clearly A is a PPT machine. From 
Q it follows that infinitely often, with probability at least 1/2^ it will be the case 
that Tj © r'j = Sj Vj < i. Once r' is such that rj © r'- = Sj Vj < i, (H|) implies that 
Pr[sj © r ■ = rj|rj © r'- = s^- Vj < i] > 1/2 + q'(fc). Thus, in total, for infinitely many 
fe's it holds that 

Pr[s t @r[ = n ) = (l - 1 ) • 1 + i • ( i + = i + 9</ ''' 



2V 2 2 £ V 2 / 2 2£ ' 

which means that A breaks the hiding property of the commitment scheme. This is a 
contradiction. ■ 

Next, we show that for all k, e for which F^y (M\,e) ^A- and F^\M2,£) t^-L the profile 
{F[ k) (Mi , e) , F 2 (fc) (M 2 , e) ) constitutes an e-TFNE in the T = (T-fJ , T^} )-constrained version 

ofrW. Let k, e be as above, and let a = (cti,<t 2 ) = (F^ (M 1 ,e),F^ k) (M 2 ,e)). We first show 
that a constitutes an e-NE in the T-constrained version of T^ k \ Suppose Pi unilaterally 
e-improves in the T-constrained version of T^ k \ From similar arguments as above we can 
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assume Pi never aborts. But when Pi never aborts the outcome is exactly it, as the players 
are playing Tr r ^ r >, and r' is chosen uniformly at random. 

Suppose now that P2 unilaterally e-improves in the T-constrained version ofrW. How- 
ever, this is a contradiction to the constraints, that state that for any k P2 cannot unilat- 
erally e-improve in the (T^ , Tj ^-constrained version of r( fc ). 

Next, we show that no player is e-threatened with respect to a at any round of the T- 
constrained version 

of r( fc ). To this end, suppose towards a contradiction that some player 
is e-threatened with respect to a. We divide the proof into cases. 

Case 1 — Pi is facing an e-threat in round 3: In step 3 player 1 has exactly two 
options: He can (i) play honestly, send ((n, decomi), . . . , (17, decom^)) which he generated 
in round 1, and receive E[«i(0((t))], or he can (ii) abort and receive E[ui(0(a 1 ))]. The 
value E[ui(0(a 1 ))] is at most E[mi(0(<t))], and so Pi cannot improve over E[u\(0(a))]. 
Hence player 1 is not facing an e-threat at round 3. 

Case 2 — P2 is facing an e-threat in round 2: We first note that for any round 1 
strategy for Pi and round 2 strategy for P2 , the round strategy of playing honestly in round 
3 for Pi is threat-free, since he cannot improve over that strategy (again, since his only 
deviation is aborting, which gives him the worst possible NE). Thus, if P2 is e-threatened 
at round 2, he has some round strategy that e-improves over E[w2(0(cj))] when Pi plays 
in round 3 (and 1) according to the protocol. This means that P2 unilaterally e-improves, 
which contradicts the constraints (as well as the e-NE). 

Case 3 — Pi is facing an e-threat in round 1: If Pi is e-threatened in round 1, he 
has some round 1 strategy r(l) for which every e-threat-free continuation e-improves over 
every e-threat-free continuation of di(l). We will describe an e-threat-free continuation of 
t(1) and an e-threat-free continuation of 01 (1) that contradict this. 

The e-threat-free continuation of <ti(1): We established in Case 2 that when Pi plays 
honestly in round 1, if P2 plays honestly in round 2 he is not e-threatened. We also 
established there that Pi playing honestly in round 3 is always e-threat-free. If follows 
that the continuation of both players playing honestly in rounds 2 and 3 is an e-threat-free 
continuation of 0"i(l). On this profile Pi receives E[tti(0(c))]. 

The e-threat-free continuation of 7~i(l): As we established in Case 2, playing honestly 
in round 3 is always e-threat-free for Pi. Now, note that there is no profile in which 
both players improve simultaneously - because all leaves are Nash equilibria, such a profile 
would be a distribution on Nash equilibria that contradicts the Pareto-optimality of ir. 
Note also that because Pi receives the worst possible payoff when he aborts, it follows that 
he improves also conditioned on not aborting (as this can only help him). Thus, in any 
threat-free continuation of r(l), conditioned on Pi not aborting in round 1, P2 again cannot 
improve over ~E[u2(0(a))], as this again contradicts the Pareto-optimality of ir. However, if 
P2 plays honestly in round 2 and then Pi plays honestly in round 3, then P2 receives exactly 
E[u2 (O(cx))] conditioned on Pi not aborting in round 1. It follows that this continuation is 
the best possible for P2, and thus P2 is not e-threatened in round 2 of this continuation. 
It follows that this continuation is e-threat-free. However, in this continuation Pi receives 
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E[ui (O(ct))] conditioned on not aborting, and 
the conditioning. 

This completes the proof of the theorem. 



thus receives at most E[ui(0(a))] without 



8 A General Theorem 

In this section we prove a general theorem identifying sufficient conditions for a strategy 
profile to be a TFNE. The first condition is that the profile must be weakly Pareto optimal: 

Definition 8.1 (Weakly Pareto optimal) A strategy profile a € T of an extensive game 
r = (H, P, A, u) with constraints T is weakly Pareto optimal if there does not exist a strategy 
profile vr € T for which both E[ui(0(tt))] > E[ui(0(a))} and E[u 2 (0(ir))] > E[u 2 (0(a))}. 

Next, we require the profile to be e-safe. Intuitively, this just means that a player cannot 
harm the other too much by a unilateral deviation (as opposed to not being able to gain 
too much, which is the NE condition). 

Definition 8.2 (e-safe) A strategy profile a = (cri,a 2 ) £ T of an extensive game T = 
(H, P, A, u) with constraints T = (T\,T 2 ) is e-safe if for each player i, 

E [u-i (0(a))} > E [u-t (0(a[, <r_i))] - e 

for every strategy a\ G Tj of player i . 

Finally, we have the following theorem. Note that we are implicitly assuming that the 
extensive games in the claim are derived from a cryptographic protocol or some other setting 
in which it is natural to discuss the "rounds" of a game. 

Theorem 8.3 Let T = (H, P, A,u) be an extensive game with constraints T = (T\,T 2 ), 
and let a = (cri,a 2 ) be a weakly Pareto optimal e-NE of T that is e-safe. Then a is an 
e-TFNE ofT. 

We also have the following corollary. 

Corollary 8.4 Let V = (H, P, A, u) be a zero-sum extensive game with constraints T = 
(71, T 2 ), and let a be an e-NE of V. Then a is an e-TFNE of F. 

The corollary follows from the observation that any e-NE of a zero-sum game is both 
weakly Pareto optimal and e-safe. Note that the corollary implies the threat-freeness part 
of Theorem 16. 1L 

We now prove Theorem 18.31 

Proof: Suppose towards contradiction that at least one of the players is facing an e-threat 
with respect to a at some round. Let R be the latest such round: that is, player i is facing 
an e-threat at round R with respect to a, and no player is facing an e-threat at any round 
R' that follows R. 
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By Definition 14.41 it follows that there exists a round R strategy r = r(R) for player 
i such that the set Cont(cr(l, . . . , R — 1), r(R)) is nonempty, and such that for all vr G 
Cont(cr(l, . . . , R— 1), r(R)) and vr' G Cont(cr(l, . . . , R)) that are e-threat-free on R it holds 
that 

E[ui(0(7r))} > E h (O(vr'))] +e, (5) 

where 

a(l,...,S) d ^a(l),...,a(S) 

and 

Cont(a(l, . . . , R)) = {vr G T : tt(5) = <r(S) for all 5 < 

Note that a £ Cont(cr(l, . . . , i?)). Also note that, because R is the latest round on which 
an e-threat occurs, the profile a is e-threat-free on R. 

Using inequality ([5]) we can then infer that for any vr G Cont(<r(l, . . . , R—1),t(R)) that 
is e-threat-free on R it holds that 

E[m(0(7r))]>E[m(0((7))]+e. ( 6 ) 
Let vr 1 G Cont(cr(l, . . . , R — 1), t(R)) be one such e-threat-free profile, and let a 1 = 

Fix R 1 = R and r 1 = r for consistent notation. We next ask, is player i facing an 
e-threat with respect to a 1 at any round R' that follows R l l If yes, let -R 2 be the next 
such round: there is no R' between R 1 and R 2 on which player i is facing an e-threat 
with respect to a 1 . By Definition 14.41 it follows that there exists a round R 2 strategy r 2 
for player i such that Cont(cr 1 (l, . . . , R 2 — 1), t 2 {R 2 )) is nonempty, and such that for all 
vr G Cont^^l,... ,R 2 -1),t 2 (R 2 )) and vr' G Cont^l, . . . ,.R 2 )) that are e-threat-free on 
R 2 it holds that 

E[ui (0(tt))] >E[«i (O(tt'))] +e. 

Assume r 2 is maximal, in the sense that for any vr G Cont(cr 1 (l, ... ,R 2 - 1),t 2 (R 2 )) 
that is e-threat-free on R 2 , player i is not facing an e-threat at round R 2 with respect to 
7T. Pick some arbitrary tt 2 G Cont(cr 1 (l, . . . , R 2 - 1), t 2 (R 2 )), and fix a 2 = (7r 2 ,<7_j). 

We now repeat the above procedure, finding the next threat to player i and letting him 
act on that threat, as follows. For t = 3,4,... we ask, is player i facing an e-threat with 
respect to a t ~ 1 at any round R' that follows R l ~ l l If yes, let R l be the next such round: 
there is no R' between R t ~ 1 and R t on which player i is facing an e-threat with respect to 
a*' 1 . 

By Definition 14.41 it follows that there exists a round R* strategy r* for player i such that 
Cont(<T* _1 (l, . . . , R t —l),T t (R t )) is nonempty, and such that for all tt G Cont(cr* _1 (l, . . . , R t — 
l),T t (R t )) and n' G Cont(<T t_1 (l, . . . ,R t )) that are e-threat-free on R l it holds that 

E[ Ui (0(tt))] > E [iii {0(tt'))} +e. 

Assume r* is maximal, in the sense that for any vr G Cont(<r t-1 (l, . . . , R l - l),r'(i?')) 
that is e-threat-free on R l , player i is not facing an e-threat at round i?* with respect to vr. 
Pick some arbitrary vr* G Cont(cr'~ 1 (l, . . . , R l — 1), r'(i?')), and fix a 1 = (vr*, a-i). 
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Finally, after repeating this for all t until there are no more e-threats to Pj on any round 
that follows R, we are left with a profile a c = (7rp,cr_j) on which player i is not facing an 
e-threat at any round below R. 

Fix p = a c , and recall that, by construction, p_j = cr_j. Because a is e-safe, it must be 
the case that 

E [u_i (0{p))\ > E [u-i {0(a))\ - e. (7) 

We next ask, is player —i facing an e-threat with respect to p at any round S that 
follows Rl As the following claim shows, the answer is positive: 

Claim 8.5 Player —i is facing an e-threat with respect to p at some round S that follows 
R. 

Proof: Suppose not. By our construction of p, player i is also not facing an e- 
threat with respect to p at any round that follows R. This means that the profile p is 
e-threat-free on the subgames R. 

Since p G Cont(<r(l, . . . , R — 1), t(R)) and since a G Cont(<r(l, . . . , R)) is e-threat-free 
on R, we can then use © to infer that 

E[ Ui (O(p))] > E [ui {0{a))]+e. 

However, since p = (vrp, cr_j) is a unilateral deviation of player i, this contradicts the 
fact that a constitutes an e-NE. H 

Let S l be the latest round on which P_j is facing an e-threat with respect to p. By 
Definition 14.41 it follows that there exists a round S l strategy p 1 for player —i such that 
Cont(p(l, . . . , S 1 — 1), / u 1 (S' 1 )) is nonempty, and such that for all it G Cont(p(l, . . . , 5 1 — 
1), p 1 (S 1 )) and 7r' G Cont(p(l, . . . , that are e-threat-free on S 1 it holds that 

E[ Ui (0(?r))] > E [«i (O(vr'))] +e. 

Assume p 1 is maximal, in the sense that for any vr G Cont(p(l, . . . , S 1 -1), p 1 (S 1 )) that 
is e-threat-free on S , player —i is not facing an e-threat at round S 1 with respect to it. 
Pick some p 1 G Cont(p(l, . . . , 5 1 - 1), p 1 (S 1 )) that is e-threat-free on S 1 - such a p 1 must 
exist by Proposition 14.61 

Now, note that because S 1 was the last round on which P_j is facing an e-threat, and 
because Pj is not facing an e-threat at any round following R with respect to p, it must be 
the case that p is e-threat-free on S . Since p G Cont(p(l, . . . , S 1 )) we then have that 

E [n_ 4 {Oip 1 ))] > E [n_ 4 (O(p))} + e > E (0(a))) , 

where the second inequality follows from (J7|). We now repeat the above procedure, finding 
the preceding threat to player —i (but that still follows R) and letting him act on that 
threat, as follows. For t = 2, 3, . . . we ask, is P_j facing an e-threat with respect to p* -1 at 
any round S that follows Rl If yes, let S t be the latest such round. By Definition 14.41 it 
follows that there exists a round S l strategy p} for player —i such that Cont(p' _1 (l, . . . , S t — 
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l),p t (S t )) is nonempty, and such that for all it 6 Cont(p* 1 (1, . . . , S f — 1), p} (£*)) and 
7r' E Cont(p* _1 (l, . . . , S t )) that are e-threat-free on S t it holds that 

E[ Ui (0(7r))] > E [iii (O(vr'))] + e. 

Assume //* is maximal, in the sense that for any n £ Cont(/9 t_1 (l, . . . ,/S 1 *— l),p t (S t )) 
that is e-threat-free on 5*, player — i is no£ facing an e-threat at round S l with respect to 
7T. Pick some p* € Cont(p* _1 (l, . . . , S t — 1), //(£*)) that is e-threat-free on 5* ~ again, such 
a must exist by Proposition 14.61 

Now, note that because S l was the last round on which P_j is facing an e-threat, P_j is 
not facing an e-threat with respect to p 1 " 1 at any round following S t . Since p t_l was chosen 
to be e-threat free on S^ 1 , player i is not facing an e-threat with respect to p <_1 at any 
round following S^ 1 . Finally, by construction, Pj is not facing an e-threat at any round 
following R with respect to p. Since p and p <_1 are equivalent up to round S , it must be 
the case that Pi is not facing an e-threat with respect to p l ~ l at any round between S 1 and 
S t ~ 1 either. Thus, is e- threat-free on 5*. Since p 1 ' 1 £ Cont(p*~ 1 (l, . . . , 5*)), we then 
have that 

Eiu-iiOtf))] >E[n_, (0(p'- 1 ))]+e 
> E [u-i (O(p))} + 1 ■ e 
>E[u-i (0(a))] + (t-l)-e. 

Finally, after repeating this for all t until there are no more e-threats to P-i at any 
round that follows R, we are left with a profile p D G Cont(o"(l, . . . , R— 1), r(i?)) on which 
both Pi and P_j are not facing an e-threat at any round that follows R. We can then use 
([6]) to infer that 

E[ Ui {0(p D ))} >E[ Ui (0(a))]+e. 

Furthermore, p D satisfies 

E [n_, {0(p D ))] > E [u^i {Oip - 1 ))] + D ■ e >E [«_« (O(a))} , 

since D > 1. 

We conclude that on the profile p D both players strictly improve over cr, contradicting 
the weak Pareto optimality of a. Hence no player is facing an e-threat with respect to a 
at any round R, and this, coupled with the fact that a is an e-NE, yields that profile an 
e-TFNE. ■ 

Acknowledgments 

We thank Eddie Dekel, Oded Goldreich, Ehud Kalai, Eran Omri, and Gil Segev for helpful 
conversations, and the anonymous referees for careful reading and insightful comments. 

References 

[1] I. Abraham, D. Dolev, R. Gonen, , and J. Halpern. Distributed computing meets game 
theory: robust mechanisms for rational secret sharing and multiparty computation. In 



34 



In 25th ACM Symposium Annual on Principles of Distributed Computing, pages 53-62, 
2006. 

[2] G. Asharov and Y. Lindell. Utility dependence in correct and fair rational secret 
sharing. In Advances in Cryptology Crypto, pages 559-576, 2009. A full version, 
containing additional results, is avalable at http://eprint.iacr.org/2009/373. 

[3] Y. Aumann and Y. Lindell. Security against covert adversaries: Efficient 
protocols for realistic adversaries. To appear in Journal of Cryptology. An 
extended abstract appeared in TCC 2007. Full version can be found at 
http : //u . cs . biu . ac . il/ lindell/PAPERS/covert . pdf . 

[4] E. Ben-Sasson, A. Tauman-Kalai, and E. Kalai. An approach to bounded rationality. 
In Advances in Neural Information Processing Systems, 2007. 

[5] M. Blum. Coin flipping by telephone. In CRYPTO, pages 11-15, 1981. 

[6] Y. Dodis, S. Halevi, and T. Rabin. A cryptographic solution to a game theoretic 
problem. In In Advances in Cryptology Crypto, pages 11-15, 2000. 

[7] L. Fortnow and R. Santhanam. Bounding rationality by discounting time. In Proceed- 
ings of the First Symposium on Innovations in Computer Science, 2010. 

[8] O. Goldreich. Foundation of Cryptography - Basic Tools. Cambridge University Press, 
2001. 

[9] S. D. Gordon and J. Katz. Rational secret sharing, revisited. In In 5th Intl. Conf. on 
Security and Cryptography for Networks (SCN), pages 229-241, 2006. 

[10] R. Gradwohl. Rationality in the full-information model. In TCC, 2010. 

[11] R. Gradwohl, N. Livne, and A. Rosen. Incredible threats. In preparation. 

[12] I. Haitner and O. Reingold. Statistically-hiding commitment from any one-way func- 
tion. In STOC 2007, pages 1 - 10, 2007. 

[13] J. Halpern and V. Teague. Rational secret sharing and multiparty computation: Ex- 
tended abstract. In 36th Annual ACM Symposium on Theory of Computing (STOC), 
pages 623-632, 2004. 

[14] J. Y. Halpern and R. Pass. Game theory with costly computation. In First Symposium 
on Innovations in Computer Science, 2010. 

[15] S. Izmalkov, S. Micali, , and M. Lepinski. Rational secure computation and ideal 
mechanism design. In FOCS, 2005. 

[16] J. Katz. Bridging game theory and cryptography: Recent results and future directions. 
In 5th Theory of Cryptography Conference TCC, pages 251-272, 2008. 

[17] J. Katz, G. Fuchsbauer, and D. Naccache. Efficient rational secret sharing in the 
standard communication model. In TCC, 2010. 



35 



[18] G. Kol and M. Naor. Cryptography and game theory: Designing protocols for exchang- 
ing information. In 5th Theory of Cryptography Conference TCC, pages 320-339, 2008. 

[19] G. Kol and M. Naor. Games for exchanging information. In 40th Annual ACM Sym- 
posium on Theory of Computing (STOC), pages 423-432, 2008. 

[20] M. Lepinski, S. Micali, and A. shelat. Collusion-free protocols. In STOC, 2005. 

[21] M. Luby, S. Micali, and C. Rackoff. How to simultaneously exchange a secret bit by 
flipping a symmetrically-biased coin. In FOCS, pages 11-21, 1983. 

[22] A. Lysyanskaya and N. Triandopoulos. Rationality and adversarial behavior in multi- 
party computation. In In Advances in Cryptology Crypto, pages 180-197, 2006. 

[23] S. Micali and A. Shelat. Truly rational secret sharing. In 6th Theory of Cryptography 
Conference TCC, pages 54-71, 2009. 

[24] M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge argu- 
ments for np using any one-way permutation. Jour, of Cryptology, 11:87-108, 1998. 

[25] M. Naor and M. Yung. Universal one-way hash functions and their cryptographic 
applications. In 21st STOC, pages 33-43, 1989. 

[26] S. J. Ong, D. Parkes, A. Rosen, and S. Vadhan. Fairness with an honest minority and 
a rational majority. In Theory of Cryptography Conference TCC, pages 36-53, 2009. 

[27] M. J. Osborne and A. Rubinstein. A Course in Game Theory. MIT Press, 1994. 

[28] I. Damgard, T. Pedersen, and B. Pfitzmann. On the existence of statistically hiding 
bit commitment schemes and fail-stop signatures. In Crypto93, pages 250-265, 1993. 

A One-way Functions and Commitment Schemes 

A function / is one-way if it is easy to compute but hard to invert given the image of a 
random input. More formally, 

Definition A.l (One-way functions) A function f : {0, 1}* — > {0, 1}* is said to be one- 
way if the following two conditions hold: 

1. There exists a polynomial-time algorithm that on input x outputs f(x). 

2. For every probabilistic polynomial-time algorithm A, every polynomial p(-), and all 
sufficiently large n 's 

Pr [A(l n ,f(U n )) e r\f(U n ))] < -L , 
where U n denotes the uniform distribution over {0, l} n . 
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In this paper we also deal with one-way permutations, and we note that the above 
definition naturally extends to consider permutations. 

A commitment scheme is a two-stage interactive protocol between a sender and a re- 
ceiver. After the first stage of the protocol, which is referred to as the commit stage, the 
sender is bound to at most one value, not yet revealed to the receiver. In the second stage, 
which is referred to as the reveal stage, the sender reveals its committed value to the receiver. 
For simplicity of exposition, we will focus on bit-commitment schemes, i.e., commitment 
schemes in which the committed value is only one bit. A bit-commitment scheme is defined 
via a triplet of probabilistic polynomial-time Turing-machines (<S, 1Z, V) such that: 

• S receives as input the security parameter l n and a bit b. Following its interaction, 
it outputs some information decom (the decommitment). 

• 1Z receives as input the security parameter 1™. Following its interaction, it outputs a 
state information com (the commitment). 

• V (acting as the receiver in the reveal stag^l) receives as input the security parameter 
l n , a commitment com and a decommitment decom. It outputs either a bit b' or _L. 

Denote by (decom|com) ^— (S{l n ,b),lZ{\ n )) the experiment in which S and 1Z interact 
(using the given inputs and uniformly chosen random coins), and then S outputs decom 
while 1Z outputs com. It is required that for all n, every bit b, and every pair (decom |com) 
that may be output by {S(l n , b), 1Z(l n )), it holds that V(com, decom) = 

The security of a commitment scheme can be defined in two complementary ways, 
protecting against either an all-powerful sender or an all-powerful receiver. The former are 
referred to as statistically-binding commitment schemes, whereas the latter are referred to 
as statistically-hiding commitment schemes. For simplicity, we assume that the associated 
"error" is zero, resulting in perfectly-binding and perfectly-hiding commitments schemes. 

In order to define the security properties of such schemes, we first introduce the following 
notation. Given a commitment scheme (S,1Z, V) and a Turing machine 1Z* , we denote by 
view^^),"^.*) (1™) the distribution of the view of 1Z* when interacting with S(l n ,b). This 
view consists of 7£*'s random coins and of the sequence of messages it receives from S. The 
distribution is taken over the random coins of both S and 7Z. Similarly, given a Turing 
machine S* we denote by view^.^n)-^ (l n ) the view of S* when interacting with 1Z(l n ). 
Note that whenever no computational restrictions are assumed on S* or 1Z*, then without 
loss of generality they can be assumed to be deterministic. 

Definition A. 2 (Perfectly-binding commitment) A bit- commitment scheme (S,1Z,V) 
is said to be perfectly-hiding if it satisfies the following two properties: 

• Computational hiding: for every probabilistic polynomial-time Turing machine 7Z* 
the ensembles {view (5(0)^*) (l ra )} n eN an< ^ { v ' ew {5(i),7?.*> (l n )}neN are computationally 
indistinguishable. 

8 Note that there is no loss of generality in assuming that the reveal stage is non-interactive. This is 
since any such interactive stage can be replaced with a non-interactive one as follows: The sender sends its 
internal state to the receiver, who then simulates the sender in the interactive stage. 

9 Although we assume perfect completeness, it is not essential for our results. 
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Perfect binding: for every Turing machine S* 



Pr 



((decom, decern') [com) <_ (S*(l n ), TZ(l n )) : 



V(com,decom) = 



, 



V(com, decom') = 1 

for all sufficiently large n, where the probability is taken over the random coins ofTZ. 



Perfectly-binding commitments can be constructed assuming the existence of any one- 
way permutation [5J. The construction is "non-interactive," meaning that the commitment 
phase consists of a single message sent from the sender S to the receiver 1Z. 

Definition A. 3 (Perfectly-hiding commitment) A bit- commitment scheme (S,7Z,V) 
is said to be perfectly-hiding if it satisfies the following two properties: 

• Perfect hiding: for every Turing machine 7Z* the ensembles {view (l n )}n£N 
and {view^x) (l n )} n eN are identically distributed. 

• Computational binding: for every probabilistic polynomial-time Turing machine 
S* the exists a negligible function fJ,(n) so that 



Pr 



// , , /m \ ,«, im V(com, decom) = 

decom, decom' com ) «- {S* (l n ),n(l n : ) ' / 

V(com, decom') = l 



for all sufficiently large n, where the probability is taken over the random coins of both 
S* andK. 



Perfectly-hiding commitments can be constructed assuming the existence of any one-way 
permutation |24j . This construction is "highly-interactive," in that the commitment phase 
requires the exchange of n — l messages between the sender and the receiver, where n is the 
security parameter. By relaxing the hiding condition to be only "statistical" it is possible 
to weaken the underlying assumption to the existence of one-way functions [12]. Assuming 
the existence of collision resistant hash functions, it is possible to construct two-message 
statistically- hiding commitments [251 28] . 
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